Innovation has currency in risk management discourse. I presented “How Risk Managers Can Lead Innovation” at the Infonex Public Sector Risk Management Conference (February 2 – 3, 2010) in Ottawa. Sasha Shymanska, the conference organizer, originally suggested to me a topic to link risk management with innovation, but then was hesitant as the idea did not at first have internal support. But I knew she was on the right track, and encouraged her to keep it on the agenda.

The title of this year’s RIMS ERM Conference (Nov 1-3, 2011, San Diego) is “Where Risk Meets Innovation”.

Many risk managers will be puzzled by the possibility of a link between the two. It is curious that the economic crisis has raised the profile of both the traditionally conservative profession of risk management and its polar opposite, high-risk invention. Yet a risk manager’s identification of risk becomes, with the right attitude and support, a structured and thorough search for opportunity for innovation.

We can see that invention and novel practices, even for mere survival, have a renewed relevance in general business discourse, especially in view of the economic downturn. One good source, for example, is the BusinessWeek site on innovation. In the public sector, the CCAF-FCVI convened a symposium Risk, Innovation and Control back in the fall of 2008.

General ideas of encouraging innovation and responsible risk-taking are familiar. Risk managers will need to know exactly how to build such a culture. If they are to take a hands-on role, they will also need tools and methods to actually begin exploratory projects. I believe the risk professional is perfectly situated to take the role of facilitator, who leads the discussion of risk and opportunity amongst subject matter and program experts. Innovation needs champions, and the risk manager can help not only greenhouse new ideas, but assist in their evaluation within a graduated framework of intended benefits. Finally, the risk professional can assist with implementation according to proven principles.

It is useful for risk managers to recognize a divide in the literature. Some tacitly accept ERM pretty much as the standards and guidelines describe it; others take ERM a social construct – something that does not really exist as it presents itself. This is an important distinction because there is no way to understand and evaluate ERM without taking a critical view.

Enterprise Risk Management is conceptualized in a critical way by Michael Power in his book Organized Uncertainty: Designing a World of Risk Management (Toronto: Oxford University Press, 2007). Standard functions for audit at one time were to check compliance and probity. Power argues that, now, internal control has been reconstituted as risk management. A central thesis in this book is that the idea of risk has taken over as an organizing principle.

We are all familiar with “change fatigue” – and the fact that Enterprise Risk Management has been viewed as just another “flavour of the month”. Many implementations have gotten stuck, complaints of red tape are common, and many are still reporting poor ability to identify and assess risk. The puzzle, as Michael Power points out, is “the continuing co-existence of local critique and world-level conformity” (p.197).

ERM has evidently persisted, even through “the failure of ERM” to predict the economic crisis. Is it because practitioners find that ERM works to create and preserve value? Or, is it because the values that ERM represents are necessary as a sort of exercise in legitimacy? Compliance and risk governance, from Power’s perspective, make up a “moral economy” (p.192).

Power calls into question another mainstay of ERM: “Reputation has come to be a modality of organizational governance but is not itself uniquely governed by any specific interest group or expertise.”(p.185). I’m not sure about the last part of that sentence, because public relations and brand are what some people live for. But obsession with reputation risk – as a program objective – occurs, whether in the private sector, or in government where civil servants should be managing their programs and not politicians’ PR. Power points out that this focus on reputation has now transformed it into a “first order” risk, rather than a downstream consequence.

Many people in government have asked me: what about opportunity? Opportunity is indeed part of the rhetoric, but you will scarcely find it supported with methodology in guidelines and standards. Power’s assessment: “ERM, which celebrates the entrepreneurial spirit of risk taking, may paradoxically lead to an exacerbation of control” (p.199).

I have seen enterprise risk management implemented without an excess of red tape; I have seen it fulfill, at least in part, its mandate. Practitioners, in taking a critical view, might assess whether or not their ERM programs are taking on characteristics they had not intended.

Risk management surveys
The Economist Intelligence Unit has released a report entitled “Fall guys: Risk management in the front line”. It is based on a survey of banking and insurance executives both within and outside the risk function, supplemented by interviews with other risk experts.

The report paints a picture, on one hand, of an increased appreciation for risk managers, where many have acquired more authority within improved risk governance structures. This is a response to the economic crisis. On the other hand, respondents who believe their firms are effective in detecting emerging risks are still in the minority (35% – p.3. para.7). This same discrepancy – the risk function’s high importance but low perceived effectiveness – appears in previous risk management surveys (see summary in this online introductory presentation).

Risk managers’ role
I found it encouraging that, according to this new report, risk managers wish to broaden their role by being “constructive”, “enabling”, and assisting managers to “achieve their business objectives” (p.4 para.2). Helping risk managers do just that is pretty much my whole mission in ERM! But relatively few firms even have risk managers participating in important business and strategic decision-making (p.4 para.1) The authors lament:

…there continues to be a perception among some senior managers that it is a support function staffed with narrowly focused specialists, such as business continuity planners, insurance buyers, or health and safety officers. Risk managers can find it difficult to break out of this mould and convince senior-level management that they have a contribution to make… (p.7 para.4).

This leads to the question: how can risk managers who aspire to support strategic planning and opportunity analysis move into that space? The authors regret a “cultural barrier”, and say it is a matter of better communication. But risk managers must prove they can actually help identify key business implementation risks, and can steward the innovation process, before they can be invited to fulfill those planning roles.

Risks and opportunity management: effective methods
They will not prove their value in planning by relying on the formalistic and bureaucratic aspects of the ERM program (PR, kick-off speeches, disseminating policy, etc.). Rather, they must demonstrate effective processes. They must facilitate sessions dedicated to the analysis and mitigation of critical risks, and the identification of opportunities for innovation — in any context required by the internal client.

Risk managers must aggregate information for the board – but can they deliver insightful risk information that serves as a sound basis for strategic decision-making?

Risk managers must address long-term strategy and emerging risks. But do they know how to conduct a future scenario planning process? (See the report p.9 for a discussion of how the Lego senior director for strategic risk management uses risk scenarios.)

Risk managers must help identify opportunities. The authors report: “The average company’s risk register contains only threats, not opportunities” (p.8). My response is: should we really expect opportunities to show up within a risk register? To identify opportunities systematically, and subsequently develop them into sound business propositions and implement innovation — this all requires dedicated techniques. Risk managers are well-positioned to lead this process.

Conclusion: Managing innovation and opportunity is done incrementally
Risk managers who are aspiring to expand their roles can start with small pilot projects, even as experiments. I wrote a description of collaborative risk assessment in business (“No risk in collaboration”) in the September 2010 edition of Canadian Underwriter. You must have a sound process for identifying risks comprehensively as a basis. Principles of engendering and managing innovation are closely related. If you can help one client solve a critical business problem and meet objectives, then the next department will come knocking on your door.

I am going to launch into some new enterprise risk management research, especially to see its interaction with managing innovation. I will be working with my Danish colleague, Ulrik Christiansen. We haven’t completed a literature review, but we can see that much of the study of enterprise risk management is influenced by the trade literature, almost taking ERM for granted as a phenomenon unto itself, while, in practice, the implementation of what is called ERM is diverse. Similarly, risk is supposed to be managed together with opportunity, which is mentioned in the standards. In practice, though, do risk professionals actually recognize and manage opportunity systematically?

Another line of inquiry is to get away from the rational model, and consider the behavioural, motivational and psychological influences in risk and opportunity decision-making. Personal backgrounds, formation and education can also be determinants of opportunity-seeking behaviour and risk aversion. So we have a series of constructs to explore and define, somewhat along these lines:

1. the level of study

a. risk managers
b. Chief Risk Officers
c. R&D managers

2. the personal attributes sought

In addition to dispositional traits, discoverable through questionnaires, we can also investigate education and training, both formal and informal.

3. the situational construct

We have to define this closely; we need comparable situations or organizational contexts: